Typically, web application security uses various restrictions and business rules to determine what type of user privileges are required to access various functionalities of a web application. Web application security may be based on various qualifiers, such as a user's assigned role, a user's subscription, a user's device, a user's geographic location, a user's profile, the time of a user's access request, the version of the web application, the client-server environment, the user-requested functionality, the user's service agreement, and the user's tenant in a multi-tenant database system. Traditionally, web application security is a configurable part of implementing a web application. Each web application functionality needs to be configured in a web application security configuration. Any change to a web application's business rules or security needs to be carefully reconfigured to insure that any change is handled properly in each and every part of the web application. When new web application functionalities are added to a web application, corresponding security configurations also need to be added. These requirements may become challenging for cloud-based enterprise software-as-a-service solutions, as each tenant (typically an enterprise company) needs to configure the software-as-a-service based web application security as per the tenant's business practices and type of services.